From 8f76da3b3a80985bbf9aee2560fe6f3bb93ba1da Mon Sep 17 00:00:00 2001 From: David Runge Date: Wed, 13 Nov 2019 22:22:14 +0100 Subject: PKGBUILD: Ugrading to 4.19.82.30. Updating maintainer info. Merging current Arch specific patches. Replacing all msg2 calls with echo. --- .SRCINFO | 22 ++-- ...ctl-and-CONFIG-to-disallow-unprivileged-C.patch | 132 +++++++++++++++++++++ ...to-disallow-unprivileged-CLONE_NEWUSER-by.patch | 101 ---------------- ...-Add-CONFIG-for-unprivileged_userns_clone.patch | 57 --------- PKGBUILD | 64 +++++----- config | 9 +- 6 files changed, 176 insertions(+), 209 deletions(-) create mode 100644 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch delete mode 100644 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch delete mode 100644 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch diff --git a/.SRCINFO b/.SRCINFO index 04e77c6..8460d9d 100644 --- a/.SRCINFO +++ b/.SRCINFO @@ -1,5 +1,5 @@ pkgbase = linux-rt-lts - pkgver = 4.19.72.26 + pkgver = 4.19.82.30 pkgrel = 1 url = https://wiki.linuxfoundation.org/realtime/start arch = x86_64 @@ -15,26 +15,24 @@ pkgbase = linux-rt-lts makedepends = python-sphinx_rtd_theme makedepends = xmlto options = !strip - source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.72.tar.xz - source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.72.tar.sign - source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.72-rt26.patch.xz - source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.72-rt26.patch.sign + source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.82.tar.xz + source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.82.tar.sign + source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.82-rt30.patch.xz + source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.82-rt30.patch.sign source = config - source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - source = 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch + source = 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E validpgpkeys = 8218F88849AAC522E94CF470A5E9288C4FA415FA validpgpkeys = 64254695FFF0AA4466CC19E67B96E8162A8CF5D1 validpgpkeys = 5ED9A48FC54C0A22D1D0804CEBC26CDB5A56DE73 validpgpkeys = E644E2F1D45FA0B2EAA02F33109F098506FF0B14 - sha256sums = f9fcb6b3bd29115ac55fc154e300c3dce2044502732f6842ad6c25e6f9f51f6d + sha256sums = 58d96d6c2c5ee8288fe9714891e4037a18f457b008e369e33fc744afc2cb595d sha256sums = SKIP - sha256sums = 7e360014f510daf6ab886f272531f98d9ae5cb5a55973a9b636346ac45f841f6 + sha256sums = c299a487a4a0446019b15241e132f6d570910eb18a968309f57b9bc8e44fc23a sha256sums = SKIP - sha256sums = e5a6ac3346c359353b3a7491bb77637870328a4bf3f3d57bf434a29b72632600 - sha256sums = 75aa8dd708ca5a0137fbf7cddc9cafefe6aac6b8e0638c06c156d412d05af4bc - sha256sums = 67aed9742e4281df6f0bd18dc936ae79319fee3763737f158c0e87a6948d100d + sha256sums = ab71979485ff9771d264c692a1215b5657455e844a16e00656cba0c810a99a81 + sha256sums = a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2 pkgname = linux-rt-lts pkgdesc = The Linux-rt-lts kernel and modules diff --git a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch new file mode 100644 index 0000000..f93022e --- /dev/null +++ b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch @@ -0,0 +1,132 @@ +From 6136ffb3d88e9f044260f8288d2d0a1edd64379e Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" +Date: Mon, 16 Sep 2019 04:53:20 +0200 +Subject: [PATCH] ZEN: Add sysctl and CONFIG to disallow unprivileged + CLONE_NEWUSER + +Our default behavior continues to match the vanilla kernel. +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/fork.c | 15 +++++++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 7 +++++++ + 4 files changed, 50 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index bd7d650d4a99..658f9c052151 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1091,6 +1091,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/fork.c b/kernel/fork.c +index 541fd805fb88..ffd57c812153 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -106,6 +106,11 @@ + + #define CREATE_TRACE_POINTS + #include ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#else ++#define unprivileged_userns_clone 0 ++#endif + + /* + * Minimum number of threads to boot the kernel +@@ -1788,6 +1793,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2819,6 +2828,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 078950d9605b..baead3605bbe 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -110,6 +110,9 @@ extern int core_uses_pid; + extern char core_pattern[]; + extern unsigned int core_pipe_limit; + #endif ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#endif + extern int pid_max; + extern int pid_max_min, pid_max_max; + extern int percpu_pagelist_fraction; +@@ -545,6 +548,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 8eadadc478f9..c36ecd19562c 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -21,6 +21,13 @@ + #include + #include + ++/* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else ++int unprivileged_userns_clone; ++#endif ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +2.23.0 + diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch deleted file mode 100644 index e57df3b..0000000 --- a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 1a47eb71988a919e811ce558f6f58855155c6218 Mon Sep 17 00:00:00 2001 -From: Serge Hallyn -Date: Fri, 31 May 2013 19:12:12 +0100 -Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default - -Signed-off-by: Serge Hallyn -[bwh: Remove unneeded binary sysctl bits] -Signed-off-by: Daniel Micay ---- - kernel/fork.c | 15 +++++++++++++++ - kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 3 +++ - 3 files changed, 30 insertions(+) - -diff --git a/kernel/fork.c b/kernel/fork.c -index 8ed48ca2cc43..e02823819ab7 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -103,6 +103,11 @@ - - #define CREATE_TRACE_POINTS - #include -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#else -+#define unprivileged_userns_clone 0 -+#endif - - /* - * Minimum number of threads to boot the kernel -@@ -1625,6 +1630,10 @@ static __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -2421,6 +2430,12 @@ int ksys_unshare(unsigned long unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 2d9837c0aff4..eb5236c069fc 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -105,6 +105,9 @@ extern int core_uses_pid; - extern char core_pattern[]; - extern unsigned int core_pipe_limit; - #endif -+#ifdef CONFIG_USER_NS -+extern int unprivileged_userns_clone; -+#endif - extern int pid_max; - extern int pid_max_min, pid_max_max; - extern int percpu_pagelist_fraction; -@@ -519,6 +522,15 @@ static struct ctl_table kern_table[] = { - .proc_handler = proc_dointvec, - }, - #endif -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+#endif - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index e5222b5fb4fe..c941a66e51d1 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -26,6 +26,9 @@ - #include - #include - -+/* sysctl */ -+int unprivileged_userns_clone; -+ - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); - --- -2.19.0 - diff --git a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch deleted file mode 100644 index 7fa619f..0000000 --- a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 1f89ffcbd1b6b6639eb49c521ac0d308a723cd3c Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" -Date: Thu, 7 Dec 2017 13:50:48 +0100 -Subject: [PATCH 2/2] ZEN: Add CONFIG for unprivileged_userns_clone - -This way our default behavior continues to match the vanilla kernel. ---- - init/Kconfig | 16 ++++++++++++++++ - kernel/user_namespace.c | 4 ++++ - 2 files changed, 20 insertions(+) - -diff --git a/init/Kconfig b/init/Kconfig -index 4592bf7997c0..f3df02990aff 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1004,6 +1004,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 6b9dbc257e34..107b17f0d528 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -27,7 +27,11 @@ - #include - - /* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else - int unprivileged_userns_clone; -+#endif - - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); --- -2.22.0 - diff --git a/PKGBUILD b/PKGBUILD index 1838683..2ba767e 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -1,13 +1,13 @@ # Maintainer: Joakim Hernberg -# Contributor: David Runge +# Contributor: David Runge # Contributor: Ray Rashif # Contributor: timbosa # Contributor: Jan Alexander Steffens (heftig) # Contributor: Tobias Powalowski # Contributor: Thomas Baechler -_pkgver=4.19.72 -_rtpatchver=26 +_pkgver=4.19.82 +_rtpatchver=30 pkgbase=linux-rt-lts pkgver=${_pkgver}.${_rtpatchver} pkgrel=1 @@ -23,9 +23,8 @@ source=( "https://www.kernel.org/pub/linux/kernel/v4.x/linux-${_pkgver}.tar.sign" "https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-${_pkgver}-rt${_rtpatchver}.patch.xz" "https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-${_pkgver}-rt${_rtpatchver}.patch.sign" - config # the main kernel config file - 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch + 'config' + '0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch' ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -35,13 +34,12 @@ validpgpkeys=( '5ED9A48FC54C0A22D1D0804CEBC26CDB5A56DE73' # Steven Rostedt 'E644E2F1D45FA0B2EAA02F33109F098506FF0B14' # Thomas Gleixner ) -sha256sums=('f9fcb6b3bd29115ac55fc154e300c3dce2044502732f6842ad6c25e6f9f51f6d' +sha256sums=('58d96d6c2c5ee8288fe9714891e4037a18f457b008e369e33fc744afc2cb595d' 'SKIP' - '7e360014f510daf6ab886f272531f98d9ae5cb5a55973a9b636346ac45f841f6' + 'c299a487a4a0446019b15241e132f6d570910eb18a968309f57b9bc8e44fc23a' 'SKIP' - 'e5a6ac3346c359353b3a7491bb77637870328a4bf3f3d57bf434a29b72632600' - '75aa8dd708ca5a0137fbf7cddc9cafefe6aac6b8e0638c06c156d412d05af4bc' - '67aed9742e4281df6f0bd18dc936ae79319fee3763737f158c0e87a6948d100d') + 'ab71979485ff9771d264c692a1215b5657455e844a16e00656cba0c810a99a81' + 'a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2') export KBUILD_BUILD_HOST=archlinux export KBUILD_BUILD_USER=$pkgbase @@ -54,7 +52,7 @@ prepare() { msg "applying patch-${_pkgver}-rt${_rtpatchver}.patch" patch -Np1 -i "../patch-${_pkgver}-rt${_rtpatchver}.patch" - msg2 "Setting version..." + echo "Setting version..." scripts/setlocalversion --save-scmversion echo "-$pkgrel" > localversion.10-pkgrel echo "${pkgbase#linux}" > localversion.20-pkgname @@ -64,17 +62,17 @@ prepare() { src="${src%%::*}" src="${src##*/}" [[ $src = *.patch ]] || continue - msg2 "Applying patch $src..." + echo "Applying patch $src..." patch -Np1 < "../$src" done - msg2 "Setting config..." + echo "Setting config..." cp ../config .config make olddefconfig # make menuconfig # CLI menu for configuration make -s kernelrelease > version - msg2 "Prepared %s version %s" "$pkgbase" "$(